Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Zombie Spam Server

  • Please log in to reply
3 replies to this topic

#1 BanditFlyer


  • Members
  • 283 posts
  • Local time:09:28 PM

Posted 15 December 2005 - 01:11 PM

I have an actual server that looks like it's trying to send spam. It is running Win2K Server edition. The machine is behind a firewall and has Symantec AV. It looks like SAV is keeping the outgoing messages from going out.

I have been running kaspersky for about the past 3.5 hours(this is a server, so it's going to take a while), and it hasn't found anything substantial yet - only a few email viruses in some old PST files backed up to a shared drive years ago.

I can't figure out how to attach a screen capture of the Symantec AV messages that pup-up, so for now I will just post the text of those messages:

"Your email mesage to
with the subject of
<bunch of strange characters I don't want to try to replicate on my keyboard>
was unable to be sent because the connection to the mail server was interrupted.Please open your emaill client and resend the message from the Sent Messages folder."

Anyone know of any scans that would find (and kill) zombie email server programs?

BC AdBot (Login to Remove)


#2 stidyup


  • Members
  • 641 posts
  • Gender:Male
  • Local time:12:28 AM

Posted 16 December 2005 - 03:43 AM

If you think you are infected submit a hijackthis log to the HJT Forum.

How to submit a hijackthis log

Download Hijackthis

Try running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.zip remember to extract the contents of the zip file into the same folder as Sysclean.com


DrWeb CureIT


KASFX which is powered by the Kaspersky AV engine, you will need internet access to update it. If you haven't got net access in safe mode, update it before you use it.

If your good with the command line also try Sophos Command Line scanner this command will scan all of your hdd's SAV32CLI.EXE -F -di -remove -dn -mbr -all -zip -p=avscanlog.txt and give you a log file to review afterwards.

#3 BanditFlyer

  • Topic Starter

  • Members
  • 283 posts
  • Local time:09:28 PM

Posted 16 December 2005 - 01:15 PM


Booting a mission critical server to safe mode is a scary proposition!!!

I was also wondering if it is OK to use the same anti-malware apps on a server - spybot s&d, Ad-aware, HJT, etc. - as you would normally use on a desktop.

To update you on the status of this problem, for now I have a BandAid over that gaping wound - I shut off SMTP services. Tech support(paid tech-support) turned on SMTP for some reason, and that's when the problem started.

Good to know that the server has some malware on it though. I never would have know that without tech-support turning on SMTP. Unfortunately, this site is often better than paid tech-support.

Any ideas on how to run other malware scans on a mission critical server?

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,769 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 AM

Posted 16 December 2005 - 03:09 PM

Ad-Aware SE Enterprise Edition 2005
Trend Micro Anti-Spyware Enterprise Edition
Anti-Spyware - Enterprise Edition by McAfee

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users